Hi, i am not sure how this could have happened, but my wordpress
And this made that some of my plugins do not work anymore, and that some weird block is shown on my page. This is some kind of hacking: how could this have happened? I have this on all my wordpress-blogs (two), is my password somehow compromised? I can easily delete those lines, but how do I make sure it does not happen again? asked 11 Jun '11, 04:46 nathanvda |
You have indeed been compromised somehow. If you'd like us to take a closer look at what happened, could you open a support ticket? answered 11 Jun '11, 04:52 David L ♦♦ Thanks! I just created a support ticket.
(11 Jun '11, 05:09)
nathanvda
|
My websites were also compromised in the same manner. Read this article. I guess it will help you. http://www.dixis.com/?p=511 answered 04 Jul '11, 06:17 Seye Kuyinu Thank you: I wrote that article :)
(06 Nov '11, 05:30)
nathanvda
|
I also got hacked in a similar fashion but well over a year ago. Multiple files were modified and had javascript code injected into them. I've since made sure I upgrade wordpress when new security patches are released. As well, I remove write access to the files in the entire tree. So when I update I have to specifically change permissions to allow write access, run the upgrade and change the permissions back. I'm going on the assumption that this wasn't a compromised password, but that the scripts that make it easy to upgrade WP are accessible to anybody and somebody found a loop hole that didn't require authentication. I hope they're not able to execute generic system commands, and all evidence is that this has not happened, and my sites haven't been hacked since. The way WP is setup on Webfaction (and perhaps elsewhere, heck maybe this is the WP default?) puts the entire directory tree accessible to the web browser. But the wp-includes folder should probably be moved someplace else - as it is, you can ask for and run scripts in the wp-includes folder of your WP site. Of course, moving the wp-includes folder out of the document tree means that you won't be able to run the update quite as automatically. answered 10 Nov '11, 14:54 Arunas |
My three blogs index.php files where hacked this way. For the moment I have changed my ftp/ssh password, and removed the
eval
code from the php. Everything seems ok now. What else should I do/check?A good collection of resources for dealing with a compromised Wordpress install